The institution that I work at had a requirement to verify that user account creations and deletions were being completed as requested and done in a timely manner. Being that we are working in a Microsoft Windows Active Directory environment, that only way to verify the accounts were added and removed was to get the information from the Event Logs. Specifically the Sercurity log. If you have ever looked at the Windows Security log, you know that there are thousands of events generated every day. In the case of the institution's logs, the security log is 32 MB and spans about a 30 day period. Searching for an single event to verify that an account that was created would be vary time consuming. It is always nice when you can tell the CIO that you implement something for no cost, so I always look for a freeware solution first.
A fair amount of searching the Intenet turned up PSTools and the PSLogList utility. PSLogList is a command line tool that can be run locally on a server or remotely. You can feed it a username and password and run it on against a remote server. You can also specify various options that will let you search for specific Event IDs or specific date ranges. I could only see pit falls that would present a challenge for what we wanted to accomplish.
The first challenge was the fact that the utility was written to be run by an individual logged into a machine. Naturally this would make it difficult for us to automate the task. The second challenge was that the standard output for the utility was to the screen. Piping the screen output to a text file would easily solve this problem.
The best method of implementation for our situation was for the utility to be run unattended once per day. The package somes it a compressed file. I expanded it to my local hard drive and started playing with it. I began experimenting with the utility to determine the correct arguments necessary to extract the data that I needed to audit. I came up with the following:
| psloglist.exe /accepteula -s -d n -i xxx,xxx,xxx eventlog >> output.txt |
In this example the "/accepteula" argument is not documented in the help file. When you run psloglist from the command line you will get a pop-up licensing agreement that you must accept. The "/accepteula" will prevent that pop-up from launching, preventing the utility from pausing while it waits for a response from a user. The default output is formatted similar to the formating on the Event Viewer output. The "-s" argument sets the output to a single line per event, seperating fields with commas. The "-t" option (not used in this example) allows you to seperate fields with characters other than a comma. The "-d" option displays data from the specified number of days previous. In this example I selected one (1) day, so the output will only contain the data from the previous day. The "-i" option specifies up to 10 Event IDs to search for. The event ideas are seperated by commas with no spaces between them. In this example "Security" tells the utility which event log to search. Obviously, I am directing the utility to search the "Security" log. Finally, as the utility is written to send the output to the screen, I am using the standard pipe command to append the results of the search to the end of a text file. By appending (rather than overwriting) the results to the output file, I can keep a running list of the events, allowing me to revue the audit list at my leisure.
| /accepteula | Auto accept the license agreement, preventing the pop-up question |
| -s | Each record is displayed on a single line and fields are seperated by a comma. (Different delimiters can be specified using the "-t" switch) |
| -d n | Display records from previous n days |
| -i xxx,xxx... | Where xxx the three digit event id that you want included in the list. You may select up to 10 event ids. |
| eventlog | Specify which event log to search (e.g. Security, System, Application, etc.) |
Running the command above gave me exactly the results that I wanted. I can open the output file with a spreadsheet program and easily sort through the data to find what I need. The next step is to figure out how to get the utility to run as a scheduled task. The Scheduled Task program in Control Panel is the natural choice. All attempts to get the utility to run as a schedule task failed. I decided to try running it within a batch file. I wrote the following simple batch file:
|
Remember that the batch file needs to know where the utility is located. You can either specify the exact location of the psloglist.exe file or copy the file to a directory that is in the path (e.g. c:\windows\system32). I chose to put the file in a directory within Program Files and specify the exact location within the batch file.
I created a Scheduld Task for the batchfile. I did not want this task to stop if my password expired or if I left the company, so I decided to use the service accuont that was created for the backup software. A service account is simple a AD user account create to a specific purpose. Service accounts are never used by people. Whereas user accounts have passwords that expire, passwords for service accounts never expire. I created the Scheduled Task using the backup service account. The task completed successfully and I got the results I was looking for. The day after the second time the automated task ran successfully, I had the administrator compared the results of the output to the list of users that were added and it was a perfect match. Problem solved!
The next time the auditor asks me to prove that a user account was delete as requested, we can go to the logs extracts and search for the login ID. The log will show what date and time the account was deleted or disabled, and which administrator responded to the request.